rfk
commented
10 years ago Noting possible synergy with https://github.com/mozilla/fxa-oauth-server/issues/140 so it would be good to pick/develop a consistent scheme.
Closed cvan closed 2 years ago
rfk
commented
10 years ago Noting possible synergy with https://github.com/mozilla/fxa-oauth-server/issues/140 so it would be good to pick/develop a consistent scheme.
cvan
commented
10 years ago Have you/y'all used hawk? I found this.
Ah, I just read the issue more closely. Yes. Synergy. Heh, OAuth is hard.
rfk
commented
10 years ago Yeah, hawk has given us a surprising amount of trouble in practice, mostly due to timestamps ad clock skew. I still quite like it personally but we spent a lot of time fiddling with the details when using it for FxA+sync.
ckarlof
commented
10 years ago You could do request signing, but being able to use curl is nice. I'd recommend OAuth bearer tokens to start.
FYI, https://github.com/mozilla/fxa-oauth-server/issues/140 is for very privileged operations from dev and op machines.
Potentially using JWTs. Keep in mind that galaxy.js (the client-side script) will be sending messages to and receiving messages from the API.